[12091] in bugtraq
Re: Team Asylum: Yahoo! Messenger DoS
daemon@ATHENA.MIT.EDU (Alan T. Ruiz)
Fri Oct 1 14:46:49 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000901bf0c2b$f770b8f0$fba00fcf@ixlmemphis.net>
Date: Fri, 1 Oct 1999 11:42:35 -0500
Reply-To: "Alan T. Ruiz" <atruiz@CBU.EDU>
From: "Alan T. Ruiz" <atruiz@CBU.EDU>
X-To: Team Asylum <security@TEAM-ASYLUM.COM>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I still see the same problem in build 734.
----- Original Message -----
From: Team Asylum <security@TEAM-ASYLUM.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Tuesday, September 28, 1999 8:08 PM
Subject: Team Asylum: Yahoo! Messenger DoS
> Team Asylum Security
> Copyright (c) 1999 By CyberSpace 2000
> http://www.team-asylum.com
> Source: Jason Pearsall [jason@team-asylum.com]
> Alert Date: 09/18/99
> Release Date: 09/27/99
>
> Affected
> --------
> - Yahoo! Messenger (build 733) for Windows 95/98.
>
> Product Description
> -------------------
> Yahoo! Messenger is a multi-functional online IM client which offers
> not only instant messaging, but also content-driven features integrated
> into Yahoo!'s vast amount of information services such as stock market
> updates, e-mail, and news.
>
> Alert Description
> -----------------
> A denial of service attack exists in build 733 of Yahoo! Messenger.
> The vulnerability exists when Messenger leaves port 5010 open. When
> a connection is made on port 5010, Messenger crashes. The connection
> stays open until the user closes the program.
>
> Malicious users can not only crash Yahoo! Messenger users, but it also
> gives them the capability of scanning and detecting Messenger users
> across wide networks by simply scanning port 5010.
>
> Fix
> ---
> Team Asylum has notified Yahoo! and they have released build 734.
> Yahoo! Messenger (Build 734) still has port 5010 open but will not crash
> if connections are made unto it.
>
> Yahoo! Messenger can be found at:
>
> http://messenger.yahoo.com
>
